By Rich Curtiss, Principal, Healthcare Risk Assurance Services, Coalfire
Twitter: @CoalfireSys
Many HIPAA covered entities (CEs) and business associates (BAs) may not be meeting the regulatory mandate as defined in §164.308(a)(1)(ii)(A) of the HIPAA Security Rule. This implementation specification requires that healthcare delivery organizations (HDOs) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
This requires what I’ll call an Office for Civil Rights (OCR)-grade risk analysis that is clearly scoped and defined under the title “Guidance on Risk Analysis Requirements under the HIPAA Security Rule.”
There are several factors contributing to decisions not to conduct an OCR-grade risk analysis including the reduction in formal OCR audits against CEs and BAs. Is this a reasonable and/or appropriate rationale for delaying or reducing scope and the priority of a risk analysis?
The thinking goes something like this: The OCR isn’t executing audits, so I don’t need to concern myself with conducting or updating my risk analysis since they won’t be calling, writing, or visiting. Therefore, I’ll use my budget for something else.
Unfortunately, this is a gambit that may not play out in your favor given a corollary HIPAA Privacy Rule specification and guidance regarding HIPAA complaints and potential OCR investigations. Specifically, anyone may file a health information privacy or security complaint directly to the OCR using the OCR Portal. Complaints may also be submitted via email or mail. They can be anonymous and may be submitted when an individual thinks a healthcare organization is not “following the rules.”
The complaint process is documented by the U.S. Department of Health & Human Services (HHS) on their website, which contains links to the portal and other amplifying information. HIPAA requires that CEs and BAs make this same information available to individuals whose Protected Health Information (PHI) may be under their control.
What does this have to do with an OCR risk analysis? A lot!
Once the OCR determines a complaint is legitimate, they will contact the organization to determine whether an official investigation is required. The paper trail begins with an official OCR investigation letter. The letter will typically require submittal of all applicable HIPAA documentation including policies and procedures related to the complaint. Among the documentation required by the OCR is the submission of the organization’s latest risk analysis and risk management plan. Sometimes this request takes the form of an enterprise risk analysis. This analysis would cover all hospitals, practices, and centers associated with the HDO and not just the affected facility.
The OCR routinely presents statistics indicating that a very large portion (more than 80%) of submitted risk analyses fail to meet their standards for thoroughness, completeness, and construct. There’s often much confusion in the healthcare sector about what constitutes an acceptable OCR risk analysis, and many organizations take a simplified approach to determine how well they meet the Security Rule specifications and consider this a risk analysis. In April 2018, the OCR released a newsletter informing their constituency of the differences between a HIPAA Security Rule gap analysis and a well-defined risk analysis.
It’s all about the electronic PHI (ePHI) and where it lives. How is ePHI being protected, safeguarded, controlled, maintained, stored, processed, created, sent, and received? It’s not necessarily simple, but critical and necessary.
Remember – it only takes one complaint to the OCR to launch an investigation that results in a request for your most current risk analysis and risk management plan. Would it be OCR-grade? Before the OCR comes knocking, you should ensure your risk analysis is accurate, thorough, and meets OCR expectations.